Detail

Multiple vulnerabilities have been found in Tor, the most severe of which may allow a remote attacker to execute arbitrary code.

Background

Tor is an implementation of second generation Onion Routing, a connection-oriented anonymizing communication service.

Description

Multiple vulnerabilities have been discovered in Tor:

* When configured as client or bridge, Tor uses the same TLS certificate chain for all outgoing connections (CVE-2011-2768). * When configured as a bridge, Tor relays can distinguish incoming bridge connections from client connections (CVE-2011-2769). * An error in or/buffers.c could result in a heap-based buffer overflow (CVE-2011-2778).

Impact

A remote attacker could possibly execute arbitrary code or cause a Denial of Service. Furthermore, a remote relay the user is directly connected to may be able to disclose anonymous information about that user or enumerate bridges in the user's connection.

OVAL Definitions

It has been discovered by &quot;frosty_un&quot; that a design flaw in Tor, an online privacy tool, allows malicious relay servers to learn certain information that they should not be able to learn. Specifically, a relay that a user connects to directly could learn which other relays that user is connected to directly. In combination with other attacks, this issue can lead to deanonymizing the user. The Common Vulnerabilities and Exposures project has assigned CVE-2011-2768 to this issue. In addition to fixing the above mentioned issues, the updates to oldstable and stable fix a number of less critical issues. Please see this posting from the Tor blog for more information: https://blog.torproject.org/blog/tor-02234-released-security-patches

It was discovered that Tor, an online privacy tool, incorrectly computes buffer sizes in certain cases involving SOCKS connections. Malicious parties could use this to cause a heap-based buffer overflow, potentially allowing execution of arbitrary code. In Tor's default configuration this issue can only be triggered by clients that can connect to Tor's socks port, which listens only on localhost by default. In non-default configurations where Tor's SocksPort listens not only on localhost or where Tor was configured to use another socks server for all of its outgoing connections, Tor is vulnerable to a larger set of malicious parties.